on:
  pull_request: {}
  push:
    branches:
    - main
    - master
    paths:
    - .github/workflows/semgrep.yml
  schedule:
  - cron: '0 0 * * 0'
name: Semgrep
permissions: read-all
jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-20.04
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
    container:
      image: returntocorp/semgrep
    steps:
    - uses: actions/checkout@v3
    - run: semgrep ci
